gladiator® virtual information security officer
TRANSCRIPT
© 2017 Jack Henry & Associates, Inc.®1© 2017 Jack Henry & Associates, Inc.®
Gladiator® Virtual Information Security Officer
Presented by: Viviana Campanaro – CISSPDecember 13, 2017
© 2017 Jack Henry & Associates, Inc.®© 2017 Jack Henry & Associates, Inc.
Agenda
• Cybersecurity Challenges• Regulatory Reality• Role and Responsibilities of the ISO• Gladiator vISO Service Overview
© 2017 Jack Henry & Associates, Inc.®© 2017 Jack Henry & Associates, Inc.
BankNews Innovative Solutions Award
Consulting/Outsourcing/Training SolutionGladiator® Virtual Information Security Officer
© 2017 Jack Henry & Associates, Inc.®© 2017 Jack Henry & Associates, Inc.
Top Concerns
• Regulatory Compliance
• Cybersecurity and IT
• Reputation
© 2017 Jack Henry & Associates, Inc.®© 2017 Jack Henry & Associates, Inc.
Cybersecurity Threat Landscape
• Buffer Overflow
• Service Overwhelm
• Stealth Diagnostics
• DoS
• SQL Injections
• Phishing
• Web Browser Pop-Ups
• VBA, ActiveX Flash Tricks
• OS Specific Attack Tools
• Cross-site Scripting
• SSL-encrypted threats
• Zombie Bots
• RDP Exploits
• Memory
• Scrapping
• DDOS
• Ransomware
• APT’s
• Spear Phishing
• Targeted Attacks
• Drive-by Downloads
• Watering Hole Attacks
Pervasive
Limited
• Self Replicating Code
• Password Guessing
• Password Cracking
• Disabling Audits
Challenging
• Hijacking Sessions
• Exploit Known Vulnerabilities
• Packet Forging & Spoofing
• SPAM
• Back Doors
• Sweeper & Sniffers
© 2017 Jack Henry & Associates, Inc.®© 2017 Jack Henry & Associates, Inc.
Cybercrime will Cost Businesses
Source: JuniperThe Future of Cybercrime & Security: Financial and Corporate Threats & Mitigation
Rapid digitization of consumers’ lives
and records
Data breaches $6.1 trillion
globally by 2021
© 2017 Jack Henry & Associates, Inc.®© 2017 Jack Henry & Associates, Inc.
More Malware & More Attacks
2017 - Symantec Internet Security Threat Report
• 1.1B Identities exposed
• > 357M new malware variants
• > 400k Ransomware detections(463,841)
© 2017 Jack Henry & Associates, Inc.®© 2017 Jack Henry & Associates, Inc.
Why Are They Coming After Us?
Financial
Espionage
Source: Verizon Data Breach Investigations Report
2017 VDBIR • 73% Financial• 21% Espionage• 6% FIG
© 2017 Jack Henry & Associates, Inc.®© 2017 Jack Henry & Associates, Inc.
How Are They Coming After Us?
Social
2017 VDBIR62% Hacking51% Malware43% Social
Source: Verizon Data Breach Investigations Report
© 2017 Jack Henry & Associates, Inc.®© 2017 Jack Henry & Associates, Inc.
In the News
Equifax breach• Unpatched machines
• 145 million records compromised
• 200k credit card numbers stolen
“...ordinary threats will harm even the most extraordinary security programs
if they’re caught off guard.” – Fortinet Threat Landscape Report, Q3 2017
© 2017 Jack Henry & Associates, Inc.®© 2017 Jack Henry & Associates, Inc.
Cyber Resiliency
→ Cyber Breach Protection
→ Cyber Breach Detection
→ Cyber Incident Response
→ Cyber Breach Recovery
* salary.com
© 2017 Jack Henry & Associates, Inc.®© 2017 Jack Henry & Associates, Inc.
Attracting & Retaining Personnel
* Source: salary.com
• 0% InfoSec unemployment
• Average ISO salary $193,000*
© 2017 Jack Henry & Associates, Inc.®© 2017 Jack Henry & Associates, Inc.
Regulatory Reality
© 2017 Jack Henry & Associates, Inc.®© 2017 Jack Henry & Associates, Inc.
Regulators Making Cybersecurity a Priority
The FFIEC releases a revised Information Security booklet - FFIEC, September 9, 2016
FFIEC Releases Updates to Cybersecurity Assessment Tool - FFIEC, May 31, 2017
FFIEC Releases Cybersecurity Assessment Tool - FFIEC, June 30, 2015
Financial Regulators Release Revised Management Booklet - FFIEC, November 10, 2015
FFIEC Issues Statement on Safeguarding the Cybersecurity of Interbank Messaging and Payment Networks - FFIEC, June 7, 2016
The FFIEC published frequently asked questions (FAQ) guide related to the Cybersecurity Assessment Tool
- FFIEC, October 17, 2016
New York State Department of Financial ServicesProposed 23 NYCRR 500 - Cybersecurity Requirements for Financial Services Companies
- NYSDFS, December 28, 2016
The FDIC launches the Information Technology Risk Examination (InTREx) Program - FFIEC, June 30, 2016
© 2017 Jack Henry & Associates, Inc.®© 2017 Jack Henry & Associates, Inc.
FFIEC Information Security Handbook
Source: FFIEC Guidelines
Written information security program
InfoSec management by an independent ISO
Separate InfoSec program management from IT operations
© 2017 Jack Henry & Associates, Inc.®© 2017 Jack Henry & Associates, Inc.
FFIEC Cybersecurity Assessment Tool (CAT)
Source: FFIEC June 2015
© 2017 Jack Henry & Associates, Inc.®© 2017 Jack Henry & Associates, Inc.
Board of Directors – Information Security
Information Security Policies InfoSec Training
Business Continuity Plan
InfoSec Risk Assessment
Vendor Management
Audit Information Vulnerability Assessment
Compliance/Risk Committee
Incident Reporting
Exam Information
© 2017 Jack Henry & Associates, Inc.®© 2017 Jack Henry & Associates, Inc.
• 2015 – Financial Institutions receive “Recommendations”
• 2016 & 2017 – Financial Institutions receive Matter Requiring Attention (MRA)
Regulatory Reality
© 2017 Jack Henry & Associates, Inc.®© 2017 Jack Henry & Associates, Inc.
InfoSec Regulatory Exam Focus
2014 – 2015• Business Continuity• IT Risk Assessments• Log Archiving
2015 – 2016• Vendor Management• CyberSec Assessment Tool• Ongoing VA Scanning
2016 – 2017• Information Security Officer• SIEM & Breach Detection• Cyber-Prep & Resiliency
© 2017 Jack Henry & Associates, Inc.®© 2017 Jack Henry & Associates, Inc.
Role of the Information Security Officer
© 2017 Jack Henry & Associates, Inc.®© 2017 Jack Henry & Associates, Inc.
ISO & Regulatory Requirements
Independent ISO or
Committee
Sufficient knowledge and training
Separate InfoSec
oversight from IT
Rightsized InfoSec program
Source: FFIEC Guidelines
© 2017 Jack Henry & Associates, Inc.®© 2017 Jack Henry & Associates, Inc.
ISO Responsibilities
Responsible for the Administration and Execution of the Information Security Program
Audits & Exams
© 2017 Jack Henry & Associates, Inc.®© 2017 Jack Henry & Associates, Inc.
Trending: Virtual ISO Services
IS Strategy
Certified security &
compliance
Experienced
Policies
Assessments
Reporting
Training
© 2017 Jack Henry & Associates, Inc.®© 2017 Jack Henry & Associates, Inc.
In the NewsThe Rise of the Virtual Cyber Security Leader
“With cyber attacks and regulatory requirements on the rise, we are entering the age of outsourced
cybersecurity.”
“The trend of establishing cybersecurity leadership is rapidly moving toward the virtual CISO.”
- MIS Training Institute, Nov. 27, 2017
© 2017 Jack Henry & Associates, Inc.®© 2017 Jack Henry & Associates, Inc.
Gladiator® IT Regulatory Compliance Team
• Certified security and compliance experts• Located in the USA• 20+ years experience• Banking background• Compliance background• Segregation of duties within JHA
ITRC Team Highlights
© 2017 Jack Henry & Associates, Inc.®© 2017 Jack Henry & Associates, Inc.
Gladiator® IT Regulatory Compliance Team
• Risk & Compliance Consultants– Experience working with FIs– Certified Information Systems Auditor (CISA)– CISM, CRISC, CGEIT preferred– Knowledge and ongoing education on FI regulations– Lead client compliance projects for vISO services– Present to executive management and Board of Directors
© 2017 Jack Henry & Associates, Inc.®© 2017 Jack Henry & Associates, Inc.
Gladiator® IT Regulatory Compliance Team
• IT Compliance Consultants– Experience working with FIs– Knowledge and ongoing education on FI regulations– Ensure compliance with all applicable regulations– Perform policy and compliance reviews– Develop and maintain compliance documentation
© 2017 Jack Henry & Associates, Inc.®28 © 2017 Jack Henry & Associates, Inc.
vISO Service Elements
Annual Recurring InfoSec Risk AssessmentAsset Based, Control Validation
Written Information Security ProgramPolicies, Procedures, Forms
Ongoing Compliance ManagementAudit Support, Monthly Meetings
Reporting
© 2017 Jack Henry & Associates, Inc.®© 2017 Jack Henry & Associates, Inc.
Gladiator® Virtual ISO Service Elements
Description• Consulting service• Identify threats to FI’s
classified assets• Determine Inherent and
Residual risk• Provide Recommendations
Information Security Asset Based Risk Assessment
Deliverables• Executive Summary Report• Control Validation Report• Asset Classification Report• Detailed Risk Results Report• Remediation Sheet
© 2017 Jack Henry & Associates, Inc.®© 2017 Jack Henry & Associates, Inc.
Gladiator® Virtual ISO Service Elements
Written Information Security Program
Description• Required policies and
procedures for GLBA compliance
• Updated Annually
Deliverables• IS Policies• IT Management Manual• eBanking Policies
© 2017 Jack Henry & Associates, Inc.®© 2017 Jack Henry & Associates, Inc.
Gladiator® Virtual ISO Service Elements
IS Ongoing Compliance Management
Description• Consulting service• Audit Support• Educational materials• IS Status Reporting • 24/7 access to the Vault
Deliverables• Periodic (Monthly or Quarterly)
IS Status Reports• ITRC Newsletter• Security Timely Topics eblast• Educational Webcasts
© 2017 Jack Henry & Associates, Inc.®© 2017 Jack Henry & Associates, Inc.
Gladiator® Virtual ISO Service ElementsIS Ongoing Compliance Management – Status Report
© 2017 Jack Henry & Associates, Inc.®© 2017 Jack Henry & Associates, Inc.
Gladiator® Virtual ISO Service Elements
Overview Status of InfoSec tasks
IS Ongoing Compliance Management – Status Report
© 2017 Jack Henry & Associates, Inc.®© 2017 Jack Henry & Associates, Inc.
Gladiator® Virtual ISO Service Elements
Detailed Status of InfoSec tasks
IS Ongoing Compliance Management – Status Report
© 2017 Jack Henry & Associates, Inc.®© 2017 Jack Henry & Associates, Inc.
Gladiator® Virtual ISO Service Elements
Project Status tracking
IS Ongoing Compliance Management – Status Report
© 2017 Jack Henry & Associates, Inc.®© 2017 Jack Henry & Associates, Inc.
Gladiator® Virtual Information Security OfficerTM
Validate informationsecurity program
Empower management’s
oversight
Protect your reputation and
your customers’ data
Provide visibilityinto information
controls
PROVIDE
© 2017 Jack Henry & Associates, Inc.®© 2017 Jack Henry & Associates, Inc.
Thanks!
Viviana Campanaro – CISSPGladiator – Security & Compliance Sales Engineer